ShinyHunters go “dark” after Salesforce megahack — and leave 760 companies in the crossfire
ShinyHunters go “dark” after Salesforce megahack - and leave 760 companies in the crossfire
The cyber-criminal collective ShinyHunters has always relished the spotlight. But after claiming to have stolen 1.5 billion Salesforce records from 760 organizations, the group announced it was “going dark” - only to resurface with a theater of leaks, extortion attempts, and victim name-drops.
Among the companies they bragged about breaching: Jaguar Land Rover, British Airways, Zscaler, Cloudflare, and dozens of others across industries. Whether every name checks out remains to be seen, but the pattern is clear: this wasn’t a surgical strike on a single tenant, it was a mass raid through a single OAuth integration.
The Drift connection that broke trust
The entry point was Salesloft’s Drift chat integration, which attackers abused to harvest OAuth tokens with privileged access to Salesforce. By the time Salesforce yanked the plug on August 28 - disabling the Drift app connection and revoking tokens - the damage was already done.
Cloudflare acknowledged that attackers rifled through its Salesforce case objects from August 12-17, while Zscaler confirmed exposure of customer contact details and licensing data. Salesforce customers everywhere have been told to rotate tokens and audit connected apps - advice that feels less like prevention than damage control.
Who’s confirmed they were hit
At least two dozen companies have now stepped forward with disclosures that attackers accessed their Salesforce data via the Drift connector. The list spans security vendors, SaaS providers, and even Google Workspace accounts tied to Drift Email:
| Company | What was accessed / disclosed | Date / Window | Disclosure |
|---|---|---|---|
| Cloudflare | Salesforce case objects, API tokens (104), support case data | Aug 12-17 | Blog |
| Zscaler | Contact details, phone numbers, licensing/support data | Aug 2025 | Company blog |
| Palo Alto Networks | Business contact info, internal sales account info, case data | Aug 2025 | Blog |
| Tenable | Portion of customer CRM/case data | Aug 2025 | Blog |
| Proofpoint | Unauthorized Salesforce tenant access | Aug 2025 | Statement |
| Qualys | Limited Salesforce info via Drift OAuth | Sept 6, 2025 | Blog |
| Rubrik | Suspicious Drift activity, possible Salesforce case access | Aug 22 | Blog |
| BeyondTrust | Limited Salesforce access via Drift | Aug 2025 | Advisory |
| Bugcrowd | Salesforce contact records; confirmed via Drift | Aug 2025 | Update |
| Cato Networks | Customer contact + case info | Aug 2025 | Statement |
| CyberArk | Salesforce CRM data | Aug 2025 | Blog |
| Dynatrace | Limited Salesforce case/contact exposure | Aug 2025 | Blog |
| Esker | Salesforce support cases, contact info | Aug 2025 | Roundup |
| JFrog | Salesforce records accessed; Drift OAuth abuse | Aug 2025 | Roundup |
| Nutanix | Salesforce case data | Aug 2025 | Blog |
| PagerDuty | Salesforce support case data | Aug 20 | Update |
| Workiva | Theft of Salesforce data tied to Drift | Aug 2025 | Disclosure |
| HackerOne | Subset of Salesforce records; vuln data not affected | Aug 2025 | Blog |
| Omada Identity | OAuth token misuse (Aug 8-18 window) | Aug 2025 | Blog |
| Agility PR (Bulldog Reporter) | Limited Salesforce org data | Aug 2025 | Statement |
| Elastic | Drift Email-connected inbox (not Salesforce); some emails with creds | Aug 2025 | Blog |
| SpyCloud | Limited Salesforce CRM exposure | Aug 2025 | Press |
| Tanium | Business contact info in Salesforce | Aug 2025 | Press |
| Google (Workspace accounts) | Very small number of accounts via Drift Email; core Workspace unaffected | Aug 9 | GTIG advisory |
Theatrics, branding, and the blurred lines of attribution
ShinyHunters’ “going dark” declaration was classic cyber-gang posturing: a promise to withdraw from the limelight while simultaneously teasing their “last big score.” But their fingerprints overlap with other crews. Google’s Threat Intelligence Group ties the Drift abuse to UNC6395, while the FBI has warned about UNC6040 (Scattered Spider) using similar Salesforce tactics.
Security firms like Obsidian even describe the episode as a “merger of chaos” between ShinyHunters and Scattered Spider - two brands long known for extortion, theatrics, and targeting high-value enterprises. Whether it’s collaboration, opportunism, or just shared infrastructure, the result is the same: hundreds of enterprises left wondering what walked out the door.
Why this breach isn’t over
The real risk isn’t the headlines - it’s what comes next. Salesforce tenants hold customer rosters, support tickets, attached logs, and even credentials tucked into case files. Once stolen, that data becomes the perfect seed stock for:
- Phishing at scale: Case-specific lures that reference real customer issues.
- Business email compromise: Leveraging exposed contacts, roles, and licensing data to launch invoice fraud or wire-transfer scams.
- Supply-chain intrusion: Names like Jaguar and British Airways suggest this isn’t just SaaS metadata; it’s a foothold into global transport, finance, and manufacturing ecosystems.
- Credential domino effects: Any password, token, or key once shared in a Salesforce case could open doors elsewhere if not rotated.
Even if ShinyHunters truly “go dark,” the data they already siphoned doesn’t vanish - it circulates. Each victim now faces months, if not years, of downstream abuse.
Where companies go from here
For organizations that ever connected Drift to Salesforce, the response can’t end with token rotation. It means:
- Deep-dive audits of SOQL query logs during the Aug 8-18 window.
- Rotating every credential ever attached to a Salesforce case.
- Preparing customer-facing comms, because the breach narrative is evolving daily - and attackers are using Telegram leaks to pressure companies into silence or ransom.
The 1.5 billion records claim may be bluster, but the scope is undeniably massive. And because OAuth token compromise is a vendor-agnostic technique, the Salesforce-Drift episode feels less like a one-off and more like a dress rehearsal for future supply-chain-style breaches.
